Did Register.com get punked by Charles Carreon?

One of the more remarkable developments concerning free speech on the Internet was the creation of private registrations of domain names. This allows someone to create a website without revealing their identity and thus subjecting themselves to the censorious impulses of butthurt litigants and governments alike.* Sure, it’s a tool that can be abused by spammers, fraudsters, and con-artists, but protection of anonymous speech is a long-standing tradition, harking back to the days even before the First Amendment, when John Peter Zenger refused to unmask the authors of articles critical of the Crown Governor of New York.

But that protection is meaningless if, unlike John Zenger, who had the courage to face prison to protect the identities entrusted to him, domain name registers cave in to flimsy legal threats.

Last Friday, Charles Carreon filed a First Amended Complaint (hat-tip: Popehat) in his campaign against The Oatmeal and friends. The day before that, Mr. Carreon fired off a threatening letter to Register.com, a well-known domain name register.

Mr. Carreon demanded that Register.com shut down parody site Charles-Carreon.com. He told Register.com (emphasis added):

Tomorrow I am going to amend the Complaint to allege a claim for cybersquatting in violation of the ACPA, with a prayer for imposition of the maximum $100,000 statutory penalty against ficticiously-named Defendant Doe 2

I hereby request that, prior to 3 p.m. PST on Friday, June 22, 2012, Register.com:

  1. Take down the Charles-Carreon.com website,
  2. Close the registrant account for Charles-Carreon.com
  3. Disclose the Private Registrant’s name and contact information to me, and
  4. Agree to deposit the Charles-Carreon.com domain name into court for disposition pursuant to court order

Mr. Carreon further noted (emphasis added):

The Complaint alleges the infringement of the Charles Carreon® mark by the creation of two fake Twitter accounts that were created in order to take over my avenues of free speech and convert them to conduits of disinformation about me. The Private Registrant [of Charles-Carreon.com] is doing the same thing by cybersquatting the Charles-Carreon.com domain.

Finally, he threatened to add Register.com itself as a defendant:

If Register.com discloses the identity of the Private Registrant prior to 3 p.m., I will name the Private Registrant as Doe 2 in the First Amended Complaint. If Register.com fails to disclose the identity of the Private Registrant by the 3 p.m. deadline, I will be forced to name Register.com as Doe 2 in the First Amended Complaint.

Carreon cites (among other things) a Federal District Court case out of Florida holding (unsurprisingly) that people who register trademarked domain names and then park them until they can try to sell them to the trademark owners are liable for trademark infringement. That has nothing to do with a registrant — the company used to register the domain. Never mind that 15 U.S.C. § 1114(2)(D)(iii) provides safe harbor for domain name registrars (like Register.com) unless they show a bad faith intent to profit from the domain name. (And, interestingly, if the registrar takes an act based on a complaint made with a “knowing and material misrepresentation”, the complaining party might be liable to the person who registered the domain.)

Let’s leave aside the question of whether or not the parody site is protected speech or fair use of Carreon’s service mark, which First Amendment attorney Marc Randazza casts some cold water on here, as such mark infringement claims are only viable where the registrant has a bad-faith intent to profit. Let’s further accept at face value Carreon’s claims that websites or Twitter accounts parodying him somehow prevent him from speaking out on his own website or Twitter account (which he has since deleted). It’s strangely ironic that Carreon would simultaneously decry that his critics are trying to foreclose upon his avenues of free speech while trying to prevent his critics from registering any web domain at all through this particular registrant.

More importantly: Carreon’s First Amended Complaint, filed the very next day, does not include any such claim against the creator of Charles-Carreon.com, as he had promised Register.com it would.

It appears that Register.com, not yet ready to join the National Wildlife Federation and American Cancer Society as defendants, complied with Carreon’s demand. The domain name information now discloses the register’s personal information.

It’s quite possible that the owner of the site revealed this information himself, though he says on the website, “I always intended to take a bow after the play, but prefer my mask stays on while I am in character.” But, at this point, it looks like Register.com folded in the face of Carreon’s frivolous complaint and unmasked one of his critics, which is something that should worry anyone who values anonymous speech.

[Edit: Carreon’s unmasked critic adds in the comments that he did not reveal his identity willingly.]

Now, maybe Mr. Carreon will amend his Complaint again to include this new claim. Before trial, the plaintiff can amend their complaint once without permission, but Carreon has already used this freebie and he’ll have to get permission of either the parties or the court before doing so. But even if he does amend it, it’s disappointing that a domain name registry would cede a user’s information without a court order or subpoena.

[Edited to add Carreon’s threat to make Register.com a defendant.]

[*Edited to further add: Register.com's terms of service clearly don't make promises that they'll keep domain registration info private in this situation. In fact, they give Register.com the absolute right to do this. That, however, doesn't make the policy right. Domain name registers like Register.com should be pressured to better defend their users' expectations and privacy rights against more than a stiff breeze.]

UPDATE: Register.com has updated the domain name information, making the register’s information private again. Cold comfort for Carreon’s critic, as Carreon and company already have his information.

YET ANOTHER UPDATE: Marc Randazza serves me humble pie in the comments, and I’ve reconsidered how much blame Register.com deserves for this (hint: next to none).

  • http://censoriousdouchebag.wordpress.com censoriousdouchebag

    I gave no such permission, in fact I decried the attempt immediately. At first they promised not to reveal anything without a court order, but I guess without informing me otherwise, they changed their mind. So I carry on (pun intended) fighting for the right of free speech.

    • http://www.adamsteinbaugh.com Adam Steinbaugh

      Thanks for the info — I’m hoping that you’ll post some of that information (AFTER talking to a good lawyer, of course!).

  • Pingback: Defenders of The Oatmeal create parody websites to pick up the fight | Ars Technica

  • http://www.randazza.com/ marcorandazza

    Domain privacy services all reveal your information if presented with a letter. ICANN Rule 3.7.7.2 all but requires it. Essentially, that makes the privacy service stand in the shoes of the actual registrant.

    I do not agree that this is problematic. What do you want for $1 per year? That’s not market rate for defending you!

    What someone should launch is a “robust privacy service” — where the service charges a few hundred bucks a year, but pools that money to actually fight illegitimate cases (but makes smart internal decisions about the claims and gives up those who might actually be using the service for wrongdoing).

    • http://gravatar.com/dtg295 dtg295

      3.7.7.2 states that the information must be accurate and does not require a registrar to reveal someone’s information just because someone claims they need it. I don’t know what your smoking but nice try idiot.

      • http://www.adamsteinbaugh.com Adam Steinbaugh

        Marc’s right on this one. Humble pie-eating (and appeal to authority) post coming soon.

      • Jack

        Marc is right. The provider of a privacy service is standing in for the owner for the domain, and as such they have to provide accurate information. In this case that accurate information is the true owners contact info. Taken in it’s entirety, the ICANN RAA, especially section 3.7.7.3, makes this pretty clear, and assigns liability to the privacy service,.

    • http://www.citizen.org/Page.aspx?pid=396 Paul Alan Levy

      Forgive me, but since when do ICANN rules override national law? The Ninth Circuit — where Carreon’s lawsuit is pending — has squarely held that registrar’s cannot be held liable for trademark violations in domain names. Lockheed Martin Corp. v. Network Solutions, Inc., 194 F. 3d 980 (9th cir. 1999). Little wonder that, when I pointed this out to them (as well as pointing out how frivolous Carreon’s threatened claims are on the merits) Register.com restored the Doe’s anonymity.

      • http://www.adamsteinbaugh.com Adam Steinbaugh

        My understanding is that a mark holder has two remedies against alleged infringers: sue under Lanham and/or force the domain holder into arbitration pursuant to ICANN’s rules (and alleging a breach of those rules).

        But, under ICANN’s rules, the only remedy available to the mark holder is to force a transfer of the domain name. If the mark holder wants damages, they would have to sue under Lanham.

        That, it seems to me, would make Mr. Carreon’s threats of a next-day lawsuit against Register.com even more ridiculous. Register.com would have a safe harbor against a Lanham claim by virtue of § 1114(2)(D)(iii), absent a showing that they somehow acted in bad faith — which I would imagine doesn’t encompass the spare change they made from the mere registration of the domain.

        (and I hope Mr. Randazza will weigh in, as I can only speculate based on, er, a Wikipedia article.)

        • http://www.randazza.com/ marcorandazza

          The registrar CAN be liable under contributory infringement theories. See Solid Host v. NameCheap, 652 F.Supp.2d 1092 (2009).

          Registrars know this. This is why privacy services are not robust. It can get past a motion to dismiss, so why should a registrar or privacy service put themselves in harm’s way — even if that harm is not likely — for someone who paid them a mere dollar for privacy protection?

          • http://twitter.com/bvierra bvierra (@bvierra)

            First of all, please don’t take this as any disrespect or arguing with you, it is the tech in me seeing huge difference between the 2 cases.

            From Solid Host v. NameCheap the reason that NC was not immune under Section 1114(2)(D) was ‘Section 1114(2)(D)(i) provides that “[a] domain name registrar, a domain name registry, or other domain name registration authority” shall not be liable for damages…’ Followed by ‘While § 1114(2)(D)(I) might protect NameCheap if it acted as the registrar for , given the allegations in the complaint, the court must assume for purposes of this motion that it did not act as registrar of the name.’

            Are the facts not completely different in this case? In Solid Host v. NameCheap, NameCheap was held as not registering the domain since it was transferred to them by an unknown hacker from eNom. eNom per the court was the registrar (so I assume would have fallen under this clause).

            Where in this instance, the domain was registered with register.com nor was there any allegation that the domain was hacked elsewhere and transferred to register.com.

            I would think that Solid Host v. NameCheap has absolutely no factual bearing on this case.

            Once again just trying to understand :)

      • http://www.randazza.com/ marcorandazza

        Its not the registrar, Paul, that would be liable. It is the privacy service. If they are one and the same, the safe harbor under Lockheed does not necessarily apply. See Solid Host v. NameCheap, 652 F.Supp.2d 1092 (2009).

  • Jack

    I think that ICANN RAA 3.7.7.3 is applicable here as it essentially makes the proxy service provider liable for a customer’s actions unless they cancel the service.

    ICANN and registrars are currently negotiating revisions to add some protections, as well as clarification to 3.7.7.3 for customers and registrars:
    https://community.icann.org/pages/viewpage.action?pageId=30346617

    I think that Marc’s idea for a “robust privacy service” would do well if they could find a price-point somewhere in the $20 range.

  • Pingback: A break from character. Part 2 « censoriousdouchebag

  • Pingback: Tables turning: Satiricist Sues Carreon, Judge balks at TRO | A blog

  • alpha4centauri

    ICANN’s rules are ICANN’s rules. They cover the top level domain names that ICANN controls (e.g., .com, .org, .net, etc.) Their rules require the domain registrant information to be public. Privacy services are to keep your email address from being harvested by spammers, but they only comply with ICANN rules to the extent that the information is not truly secret. Different privacy services create different roadblocks to getting the information, but ultimately, it has to be public. Also, to the extent that the registrant’s name isn’t on a registration, he/she doesn’t formally own the domain — the proxy registration company does. Domains are stolen all the time, and anyone who registers a domain they expect to have value over time should think very hard about taking that risk.

    If you want to register a domain with more privacy than ICANN permits, there are other registries with their own rules. You will find it much more difficult to get the name of the domain owner for a .ru domain, for instance.

  • Pingback: More Not So Funny Junk: We Bite Back | InternetBiz Law

  • Pingback: Carreon’s Pyrrhic “victory” isn’t over yet | A blog

  • Pingback: Charles Carreon (finally!) gets served in Satirical Charles case | A blog

  • Pingback: Charles Carreon, Satirical Chas, and Register.com: Not Over Yet. | A blog